0117 325 0027 · info@apexinsurancebrokers.co.uk
FCA FRN 724952 · Co. No. 07014570 · Bristol
§ Commercial insurance

Commercial cyber insurance - UK broker guide

Apex Insurance Brokers · Last reviewed: June 2026

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952. Companies House 07014570. Cover availability and terms depend on insurer underwriting at the time of quotation.

This page is for the buyer who has typed "cyber insurance" into a search engine and wants a serious answer. You may be a 12-person accountancy practice that just had a phishing scare, a £40m wholesaler whose finance director paid a fake invoice, or a tech firm renewing a policy that has tripled in price. You are here because cyber risk has become a board-level conversation and you want to know what good cover looks like and where the traps are.

We place standalone cyber cover for SMEs and mid-market businesses across the Bristol catchment. Limits run from £500k on a small professional practice to £10m and above on regulated firms with data processing exposure. The single most common cyber claim we see is not ransomware. It is funds transfer fraud, a finance team paying a manipulated invoice into a criminal-controlled account, and it is one reason we recommend most clients move beyond a packaged add-on.

Tech firms should also read /commercial/it-tech/. Office-based businesses considering cyber as part of a broader package, see /commercial/office/. Marketing, PR, and creative agencies dealing with client data and IP, see /commercial/marketing-pr-creative/. For where cyber and PI meet, see our cyber and PI overlap hub at /cyber-pi-overlap-hub/.

What commercial cyber insurance is

Cyber insurance is the name the market gives to a policy that responds to incidents involving your IT systems, your data, and the data you hold about other people. It is one of the youngest mainstream commercial covers in the UK market and has matured rapidly between 2018 and the present. The shape of a modern policy is now reasonably standardised across leading carriers, even if wordings still diverge meaningfully in detail.

A cyber policy splits into first-party cover, losses suffered by your own business, and third-party cover, liability arising from claims brought against you. The first-party section is where the operational money is. It pays for the incident response firm that comes in at 2am to contain a ransomware deployment, the forensic investigation, the legal counsel who manages notification obligations, public relations support, the cost of rebuilding systems and restoring data, and lost gross profit during the period operations are degraded. The third-party section responds when somebody else sues you because of a breach, typically a data subject, a regulator, a card scheme, or another business affected by malware that travelled through you.

The market sells cyber in two principal ways. The first is as an add-on to a commercial combined or office package: Hiscox 606, Aviva Fast Trade, AXA Business Insurance and similar will include a cyber section with limits of £25k, £100k, or £250k. The second is as a standalone policy from a specialist cyber underwriter, with limits typically starting at £500k and running to £10m and above. The choice is not really about price. It is about whether you have a real exposure and want a real response, or want a small contingent fund and a phone number to call.

The line between "package add-on is fine" and "you need a standalone policy" sits at the point where one of three things becomes true. You hold meaningful volumes of personal data, a few thousand customer records is plenty. You run any business process that depends on IT being up, which is now most businesses. Or you have any contract that asks you to confirm you carry cyber cover. Once any of those is in play, the standalone policy is the right tool. The package add-on is a token, not a transfer of risk.

The covers you actually need

A modern standalone cyber policy is built around a defined set of insuring clauses. We group them below by who suffers the loss — first-party covers respond to your own business, third-party covers respond to claims brought against you.

First-party: incident response and recovery

The incident response section is the working capital of a cyber policy. Most credible carriers operate a panel of IR firms, with Mandiant, CrowdStrike, Kroll, Stroz Friedberg and Charles River appearing repeatedly, and the policy gives you direct access. A breach coach, usually a partner in a specialist law firm, is appointed to project-manage the response and preserve legal privilege over the forensic work. We push clients to read the panel list before binding. The quality of the panel is a meaningful differentiator between carriers.

Forensics costs run from £25k for a small contained incident to £500k or more for a serious enterprise breach. Notification costs, the obligation under UK GDPR Article 33 to notify the ICO within 72 hours plus the cost of notifying affected data subjects, scale with the size of the data set. PR and crisis communications support is included by most carriers. We recommend limits of £250k to £1m for the incident response section on most SMEs.

First-party: ransomware and extortion

Ransomware cover pays for the extortion demand itself where payment is lawful, plus the cost of negotiation, the cryptocurrency facilitation, and the operational restoration that follows. The UK government has signalled increasing reluctance to permit ransom payment, and any payment must be screened against the OFSI sanctions list. Paying a sanctioned group is a criminal offence regardless of commercial pressure. In practice, modern policies are oriented far more toward restoration than payment. Business interruption, rebuilding from backup, system reconstruction, and data recreation costs are typically the largest line items in a serious ransomware claim, not the ransom.

First-party: business interruption

Cyber BI pays for lost gross profit and additional increased cost of working during the period operations are degraded by a cyber event. Waiting periods are typically 8 to 12 hours. The indemnity period is usually 12 months, sometimes extended to 18 or 24 on negotiation. Wording matters enormously here. Some policies trigger only on a narrowly defined "network security failure". Better wordings respond to system failure, dependent business interruption where your cloud provider goes down (the 2024 CrowdStrike outage was the test case), and outsourced service provider failure.

First-party: cyber crime and funds transfer fraud

This is the cover that earns its keep most often. Cyber crime, social engineering, and funds transfer fraud all describe the same underlying loss: somebody in your business is manipulated into transferring money to a criminal-controlled account, usually via a compromised email or a convincing fake. Microsoft 365 business email compromise is the dominant vector. Sub-limits are typically £100k to £500k even on policies with much larger overall limits, a deliberate carrier decision because frequency is high. Read this section line by line. Some wordings require verbal verification of payment instructions as a condition precedent. Some exclude losses where the fraud originated from the insured's own email being compromised. The details determine whether the cover responds.

Third-party: privacy and regulatory

Privacy claims cover civil claims brought by data subjects whose personal data has been compromised. Regulatory defence cover pays the cost of responding to an ICO investigation. UK GDPR Article 83 fines are insurable in principle, civil regulatory fines generally are and criminal fines never are, but the position varies by carrier and jurisdiction. We always ask the question explicitly at binding. Limits for the regulatory section typically sit at the lower end of the overall policy limit, often £1m or £2m.

Third-party: media, network security, and PCI

Media liability covers defamation, breach of confidence, and IP infringement arising from your published content. It is the cousin of professional indemnity cover and the overlap can be material for content-led businesses. Network security liability responds when malware travels from your system to a client's and causes loss, the supply chain attack scenario that has become a more frequent question after SolarWinds, Log4j, the 2023 MOVEit Cl0p campaign, and the 2024 CrowdStrike incident. PCI fines and assessments cover the fines and forensic assessment costs imposed by acquiring banks following a card-data breach. If you take card payments, this section is non-negotiable.

Most modern policies also include some form of reputational harm cover. In practice, these claims are notoriously hard to prove and frequently disputed. We treat this as a useful headline limit but not a cover to plan around.

Sector-specific risks we see most

The Microsoft 365 invoice fraud claim

The most common cyber claim we see is a finance team member paying a manipulated supplier invoice into a criminal-controlled account. A typical claim looks like this: a regular supplier's email account is compromised, the criminal monitors the mailbox for weeks, identifies an in-flight invoice, sends a near-identical follow-up with revised bank details, and the payment goes out. The loss is between £15k and £150k. Whether the cover pays depends on whether your wording requires verbal verification of bank detail changes, whether MFA was in place on the email accounts, and whether the loss is treated as your own crime loss or your supplier's. We have seen claims declined on each of these points.

Ransomware on operational systems

For manufacturing clients, hospitality groups, healthcare clinics, and any business with operational systems that go down when IT goes down, ransomware is an existential event. Cl0p, Royal, LockBit, BlackCat/ALPHV, and Akira are the dominant groups in the current threat landscape. The loss is typically dominated by business interruption: the production line stopped for 11 days, the hotel unable to take bookings for a week, the clinic unable to access patient records. The ransom itself is usually a smaller proportion of total claim. Clients with operational dependency should think in months of indemnity, not days.

Cloud misconfiguration and processor breaches

A surprising proportion of data breaches are not sophisticated attacks. They are an Amazon S3 bucket configured with public read access, a SharePoint folder shared "Anyone with the link", a database with default credentials exposed to the internet. The UK GDPR notification obligation is the same regardless of cause: 72 hours to the ICO, individual notification where there is a high risk to data subjects' rights and freedoms.

If you are a data controller and your processor is breached, you remain responsible to the data subject under UK GDPR Article 24. The 2023 MOVEit Cl0p campaign affected hundreds of UK organisations whose payroll, pensions, or HR providers used the MOVEit file transfer tool, and the downstream notification and litigation risk sat with the controller, not the processor. Cyber cover for this scenario depends on dependent business interruption wording and on the third-party privacy section responding to processor breaches.

Where packaged cyber sections let people down

Three exclusions catch buyers out most often. First, the cover often requires a "targeted attack", which rules out configuration errors and lost laptops. Second, the social engineering sub-limit is typically £25k or £50k against a real exposure of ten times that. Third, the incident response provision is often a phone number to a generic helpline rather than direct access to a credible IR firm, which means in a real incident you are scrambling to appoint and pay a specialist firm yourself. We have placed several standalone policies for clients who discovered these limitations during a live incident.

Bristol & South West considerations

The South West has one of the densest cyber skills clusters outside London, with practical implications for buyers in this region. Cheltenham sits alongside GCHQ and the National Cyber Security Centre's regional outreach, and the CyNam (Cyber Cheltenham) ecosystem supports a serious community of cyber security companies, MSSPs, and consultancies. The Cyber Runway accelerator and Hub8 in Cheltenham produce a steady stream of cyber firms, and the NCSC Cyber Growth Partnership formalises the relationship between the intelligence community and commercial sector. Bristol's own community (Bristol Cyber Security Group, ZeroCool, the cyber security teams at the University of Bristol and UWE) adds depth, and Cardiff's Crucible cyber centre extends the cluster across the Severn.

Why this matters to the insurance buyer. Many SMEs across the South West procure managed security services from regional specialists rather than the global names. Underwriters increasingly want to see the MSSP proposal and the agreed scope of monitoring, EDR deployment, and incident response retainer, and a strong MSSP relationship lowers cyber premiums materially. We package MSSP evidence into the submission as standard.

Cheltenham and Bristol clients with intelligence community supply-chain exposure operate to a higher security baseline than the typical SME. Cyber Essentials Plus, ISO 27001, and increasingly the NCSC Cyber Assessment Framework are not unusual for these firms. That baseline translates into better cyber insurance pricing and broader cover, and Cheltenham defence supply-chain firms in the £5m to £20m turnover band routinely secure terms unavailable to non-accredited peers of the same size.

The M4 and M5 corridor and the Severn flood plain create operational dependency risk. A flood event at Avonmouth or Portishead, transport disruption on the Severn crossings, or a power outage in a Bristol data centre triggers business interruption questions that overlap material damage and cyber wordings.

How to get it right at renewal

Cyber renewals are won and lost on the quality of the submission. Underwriters expect a defined set of evidence and provide a defined set of terms in response. Producing that evidence in good order, on time, and in a presentation underwriters can actually read is the difference between a renewal with a reduction and one with a 40% increase.

Start 60 to 90 days out. The market is in stabilisation mode after the 2022–2023 hardening, with capacity returned and rates flat to softening, but capacity is not unlimited and good risks get presented to multiple markets early. The carriers we work with most often on cyber are Beazley, CFC, Coalition, Tokio Marine HCC, AIG, Travelers, Hiscox CyberClear, AXA XL, Allianz Cyber, the Lockton MGA cyber facility, Markel Cyber, RPS Coalition Connect, and Cowbell.

The underwriting prerequisites that have become baseline are non-negotiable. MFA on all remote access, email, and privileged accounts is required by every credible carrier. EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or Sophos InterceptX) is expected on every endpoint. Immutable backups (offline, air-gapped, WORM-protected, or cloud-isolated) with documented and regularly tested restoration are scrutinised closely. An email security gateway (Microsoft Defender for Office 365, Proofpoint, or Mimecast) is expected. Patch management with a documented cadence, vulnerability scanning, and employee phishing training round out the baseline. For larger insureds, privileged access management and network segmentation become additional requirements.

The submission documents we prepare with clients include a network diagram, MSSP scope of work, EDR coverage report, backup testing log, phishing training completion rate, incident history with root cause and remediation, and data inventory by category and volume. For manufacturers, OT and ICS segmentation evidence sits alongside this. For regulated firms, regulatory permissions and data processing agreements are added.

Limit selection is a function of turnover, data volume, and contractual requirement. Sub-£5m turnover, £500k to £1m typical. £5m to £25m, £1m to £3m. £25m to £100m, £3m to £10m. Regulated industries (healthcare, financial services, legal) skew higher. We do not recommend a multi-quote scramble in the last fortnight; it produces worse terms than a managed process started early.

How Apex helps

We are an independent commercial broker based in Bristol, regulated by the FCA under firm reference number 724952. We place cyber cover across the standalone specialist market and treat the submission as the document that determines the outcome. We sit down with clients in the planning window, work through the underwriting questionnaire properly, and gather the evidence underwriters will actually read.

When clients have an incident, we work with the carrier's IR panel to make sure the right people are mobilised in the first hour and the breach coach is engaged before the regulatory clock runs out. We are advocates at claim, not passive intermediaries.

We sit in Bristol but place risks across the catchment, from Bath and Cheltenham to Cardiff, Newport, Swindon, and the wider South West. If you want a substantive conversation about your cyber programme, get in touch.

FAQs

Do I legally need cyber insurance in the UK?

No. There is no general legal requirement to carry cyber insurance for most UK businesses. The requirement comes from your contracts — many client contracts, particularly in regulated sectors and public sector procurement, will require you to confirm cyber cover at a stated limit.

How much does cyber insurance cost for an SME?

Premiums for a small business with strong security controls can start around £750 to £1,500 for £500k of cover. A mid-market firm at £25m turnover with good controls might pay £8k to £20k for £3m of cover. The single largest variable is whether the carrier sees evidence of MFA, EDR, and tested backups.

What is the difference between cyber and crime insurance?

Crime insurance traditionally covers employee dishonesty, theft of money or securities, and third-party crime against the business. Modern cyber policies include funds transfer fraud and social engineering, which would historically have sat under a crime policy. There is meaningful overlap and we always check both wordings before binding cover.

Will my package policy's cyber section be enough?

For most businesses with real data, real IT dependency, or any client contract requirement, no. Package sections typically carry £25k to £250k sub-limits and exclude or restrict the covers that matter most — incident response panel access, social engineering, dependent business interruption, and regulatory defence.

Can I insure ransomware payments?

In principle, yes. In practice, any payment must be screened against the OFSI sanctions list and the UK government has signalled increasing reluctance to permit ransom payment. Most policies pay for the negotiation, the cryptocurrency facilitation, and the operational restoration following an attack regardless of whether a ransom is paid.

What is MFA and why do underwriters insist on it?

Multi-factor authentication is the requirement that login uses two independent factors — typically a password and a code from an authenticator app or hardware token. It reduces the success rate of credential-stuffing and phishing attacks by an order of magnitude, and it is now a baseline expectation across every credible cyber carrier we deal with.

What is EDR and do I need it?

Endpoint detection and response is software that runs on every laptop, desktop, and server in your business and monitors for malicious behaviour rather than just signature-matching for known viruses. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint and Sophos InterceptX are the dominant products. Most cyber carriers will not offer competitive terms without EDR coverage on the estate.

What happens in the first hour of a cyber incident?

You call the number on the policy schedule. The breach coach is appointed within the hour, the incident response firm is mobilised, and a privileged investigation begins. The 72-hour clock under UK GDPR Article 33 for notifying the ICO starts running from your awareness of the breach, so speed matters.

Are regulatory fines insurable?

Civil regulatory fines under UK GDPR Article 83 are insurable in principle in the UK market. Criminal fines never are, and the position varies by jurisdiction. We confirm the wording position with the carrier explicitly at binding.

My business is tiny — do I really need this?

If you hold customer data, take card payments, depend on email and IT for daily operations, or have any client contract that asks about cyber, yes. A £500k standalone policy for a micro-business is genuinely affordable and gives access to the response capability that determines outcomes in a real incident.

Do you place cyber cover outside Bristol?

Yes. We work across the 50-mile Bristol catchment including Bath, Cheltenham, Gloucester, Cardiff, Newport, Swindon, Weston-super-Mare, Yeovil, Taunton, Wells, Stroud, Chippenham, Trowbridge, Frome, and Bridgwater, and we place cyber risks nationally for clients in our existing book.

How long does a cyber quote take?

For a standard SME risk with a completed proposal form and the supporting evidence ready, we can present to market and have indicative terms back within five to ten working days. Complex risks and larger insureds take longer because more carriers are involved.

Other sectors we cover

For the specific question of how cyber and professional indemnity overlap when a breach turns into a client claim, see our /cyber-pi-overlap-hub/ page.

Coverage area

Apex is based in Bristol and places cyber cover across the wider South West and into Wales. We work with clients across /locations/bristol-commercial-insurance/, /locations/bath-commercial-insurance/, /locations/cheltenham-commercial-insurance/, /locations/gloucester-commercial-insurance/, /locations/cardiff-commercial-insurance/, and /locations/swindon-commercial-insurance/, and into the wider region covered by our pillar at /commercial-insurance-bristol-and-south-west/. The Cheltenham cyber cluster gives us an unusually deep regional bench of security expertise to draw on when preparing submissions.

SEO metadata

Further reading in the Apex Insurance Wiki

Drill into the underlying mechanics, case law and regulatory framework that sits behind this guide:

Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.
★ 4.0 on Trustpilot (verified)|Listed on the ARB PI broker list|FCA FRN 724952